Unsafe passwords and weak encryption: what's going on with Zoom?

2020-04-01T14:39:32.500Z

The popular video calling app Zoom has been under fire for a few days due to multiple privacy issues. For example, passwords are not properly secured, users can view each other's account information and the encryption does not work properly. Can you still use Zoom without any worries?

The popular video calling app Zoom has been under fire for a few days due to multiple privacy issues. For example, passwords are not properly secured, users can view each other's account information and the encryption does not work properly. Can you still use Zoom without any worries?

Zoom came under a magnifying glass last week after Motherboard discovered that the app sent user data to Facebook, even if users don't have a Facebook account.

A day later, Zoom announced that he would stop sharing this data with Facebook. But in the days that followed, privacy issues piled up.

Leaks personal information

Zoom leaks personal information from at least thousands of users, including their email address and photo, and allows strangers to start a video call with them, Motherboard wrote Tuesday.

Zoom automatically adds people to a user's contact list if they have signed in with an email address that shares the same domain; the app thinks these people work for the same company.

But because of this, Zoom has also joined multiple users who signed up with personal email addresses with thousands of other people. The users could thus see each other's account information. This also happened to Dutch people who, for example, have an email address that ends with @ xs4all.nl.

Zoom has not yet responded to Motherboard 's findings.

. @ xs4all why does Zoom think that all xs4all users are my company contacts? Can you disables that

Avatar Avatar Author wav Moment of places 10:46 - March 29, 2020

User passwords are not properly secured

Zoom also contains a vulnerability that could allow malicious parties to discover the password of users, BleepingComputer wrote Tuesday after a tweet from security researcher @ _g0dmode.

Users can share website URLs in chat messages. By clicking on the links they will reach the website in question. The problem is that users can also place clickable links in Zoom that lead to files on the user's computer. This allows a malicious person to steal the Windows password from the user who clicks the link.

As soon as a user clicks on a link that leads to a file on the computer, Windows automatically forwards the login information to the malicious person. The password is encrypted, but according to the security researcher easy to crack.

In addition, another security researcher, Patrick Wardle, discovered two new bugs on Wednesday that could be used to take over a Zoom user's Mac. By exploiting the bugs, a malicious party could turn on the webcam and microphone without the user's permission.

Zoom has not yet responded to this. The bugs have not yet been repaired by the company.

Weaker encryption than is claimed

Zoom writes on his website that end-to-end encryption is applied to the video calls. This is a strong form of encryption in which a message - or in this case a video call - is encrypted from the start to the end point. So it is encrypted directly from the devices of the Zoom users who make video calls to each other. Zoom would not be able to see the video call. But research by The Intercept showed on Tuesday that this is not the case at Zoom.

Zoom's video calls are encrypted for third parties, but Zoom itself has access to the unencrypted video and audio content of the video calls. Contrary to Zoom's indication on the website.

Zoom denies that users are being misled. "When we use the phrase 'end-to-end', it refers to the connection encrypted from Zoom endpoint to Zoom endpoint," the company told The Intercept . These endpoints are Zoom's servers, not the devices of the users themselves.

See also: WhatsApp encrypts my apps, but what does that mean exactly?

How busy do you have to worry about this?

Zoom is not the only app that does not care about privacy, several video belapps prove careless with online security, according to a survey by VPNgids . "The programs that are often used are not the safest. Because some services exploit user data, they have larger budgets. And with those budgets, they can advertise more to recruit even more users," David Janssen, cybersecurity expert at VPNgids.nl , tells NU .NL.

Therefore, think carefully about what you want to use the video calling services for before choosing a particular service, Janssen advises. "For private communication, the risk when using Zoom is less. But if you want to discuss confidential information: choose a secure app. There are a number of smaller services, such as Jitsi, that do value privacy."